A secure feeling

About a year ago I upgraded to a “smart” phone; last month I crunched it in a bicycle crash; and all throughout I have become increasingly concerned about how easily it could be lost or stolen. This vulnerability, amplified by the recent Target credit card snafu, drove me to tighten up security for my online identity. I’m feeling more relaxed as a result, and I encourage you to read on and learn how you can do the same.

As explained in this Zonealarm article, access to your email—a likely by-product of cell phone loss—could enable a thief to use the “Forgot password” procedures to gain access to many important websites. So, I’m taking some extra precautions for all of my sensitive accounts like banking and shopping. While most of these steps are simple, in aggregate they can represent a huge change. Therefore, I’m presenting them as a series, and I suggest that each individual consider implementing them on a gradual basis.

The most basic protections, like setting an unlock code, are identified in the FCC Smartphone Security Checker, a quick read that is a good start for everyone. In keeping with their recommendation to run a security app, I use the free Avast Mobile Security and Anti-Virus. (Someday I’ll add backup when I find an app I like.)

Account passwords are your most important defense against identity thieves. I use a different password for every website, and all of them are composed of 14 randomly-chosen upper case, lower case, digit, and symbol characters. Crooks can’t guess them, and the loss of any password can jeopardize only one account. Of course, it would be impossibly difficult for me to remember them too!

That’s why I use RoboForm Everywhere to generate and store them. As explained in this PC Magazine article, password manager programs make it easy to protect yourself online. They even memorize the entire logon sequence for your important websites, so access requires only a single click. Although RoboForm has served me very well for years, I am tempted by LastPass because it receives such strong reviews, and it supports Google Authenticator (see below).

These programs essentially hold your passwords inside a digital vault that you open by entering a master password—the one password that you must actually remember. It is also the most important one because it protects all the others. So it is critical to choose correctly: the master password must be easy for you to remember and impossibly difficult for others to guess.

I will admit to some very heavy skepticism about storing all of my passwords “in the Cloud” as is the case when using the top-rated RoboForm Everywhere and LastPass products. I reconciled myself to doing so on the strength of reading many solid reviews of these products, and by employing a very strong master password.

Strong PasswordsCryptography uses the term strong to describe a password that is good enough to protect very sensitive data like financial records. Conversely, a reasonable password might be OK for more typical uses such as an email account or a Windows log on. The primary difference is length; whereas a reasonable password might be 8 characters, a strong password will be 12 or more.

Of course, all decent passwords share several characteristics: they are not a word or combination of words that can be found in a dictionary; and they contain at least one lower case character, one upper case character, one digit, and one symbol.

An example of a strong password that is hard to guess but easy to remember is $matomeNO2co3dn*. Easy to remember, you ask incredulously?

Consider the Three Dog Night song Mama Told Me Not to Come. If we highlight the first two letters of each word, substitute digits where convenient, emphasize “not” with upper case, and enclose it between a dollar sign and a star, we could rewrite it as:

$mama told me NOt 2 come 3 dog night*

Simply remember the name of the song and type the highlighted characters. Like anything else, once you’ve typed it a couple dozen times, your fingers will do it without much conscious effort.

Any song, phrase, movie, book, etc. can be used this way. It helps to have one or more naturally occurring number-words like won, to, too, two, for, fore, ate, etc. A similar example from another era might be ^frsi!lbal2n% from:

^frank sinatra ! luck be a lady 2 night%

Interesting sites to test passwords include: PasswordMeter.com, Rumkin.com, and OnlineDomainTools.com. Note that even though these sites say they do not transmit passwords outside of your computer, it is wise to test a similar set of characters instead of actually typing your own real password. Good password practice dictates that you never type or write your password anyplace except into the approved site, or into an application such as RoboFrom or LastPass where it is required.

Whew! For some readers, that is a lot to digest. In fact, for those who still have only a few relatively weak passwords across all of their sites, I suggest that rather than reading the rest of this post, it’s time to focus on what is above. I know this sounds like a lot of work, and, indeed it is. However, it is essential to create safe passwords if you want to feel secure online.

The remainder of this post explains several additional steps that can further enhance online security, particularly to limit potential damage if a thief were to obtain your phone and thereby your email address.

I don’t enable access to RoboForm on my phone. Although theoretically it is safe to do so because it requires entry of the master password every time, I don’t have enough need to bother with it. The apps for each of the social media sites that I used from my phone remember my passwords anyway, so I had to type each of the long, random passwords into the phone just once.

I also use two separate email accounts. My general correspondence mailbox is conveniently accessible from my phone. A newer mailbox—which is the only email tied to my sensitive accounts—is (a) not accessible from my phone, and (b) requires 2-factor authentication (see below). I like this extra protection on the sensitive email account to insure that crooks can never use websites’ “Lost Password” procedures against me.

Furthermore, wherever possible I set up account “security questions” that cannot be answered based on family or searchable knowledge. So things like “mom’s maiden name”, “city where father was born”, etc. get replaced with much more obscure data that has never been on the web or in the public domain. It seems much more appropriate to use arbitrary questions like “favorite song” that can be answered consistently, though not necessarily accurately. The SafeNote feature in RoboForm is a convenient place to store these items.

Finally, I never accept an offer to log into a sensitive website via my Facebook, LinkedIn, Google or other account. I sure don’t want to take the chance that a lost phone—which does have access to these social media accounts—could thereby allow thieves to open any other doors.

Until recently, I had resisted two-factor authentication as inconvenient. But, in reality, I’m finding it quite easy—almost like being back at AOL, where employees had to carry a small device on their key ring to generate a unique number for each log in.

The Google Authenticator app (for Android or iPhone) makes two-factor easy, and I generally have to enter the code only once on each computer (or browser). I find it very worthwhile for protecting my “sensitive” email account, and I’ll actually be considering two-factor for other sites as well.

Once you take the time to implement a more secure structure to protect your online identity, you can drop a whole class of worry from your mind so you’ll rest easier and sleep more soundly.